b"SEC.gov |  Facility Access Control Systems\nSearch SEC Documents\nCompany Filings | More Search Options\nSkip to Main Content\nAbout\nWhat We Do\nCommissioners\nSecurities Laws\nSEC Docket\nReports\nCareers\nContact\nDivisions\nCorporation Finance\nEnforcement\nInvestment Management\nEconomic and Risk Analysis\nTrading and Markets\nNational Exam Program\nAll Divisions and Offices\nEnforcement\nLitigation Releases\nAdministrative Proceedings\nOpinions and Adjudicatory Orders\nAccounting and Auditing\nTrading Suspensions\nHow Investigations Work\nAdministrative Law Judges\nRegulation\nProposed Rules\nFinal Rules\nInterim Final Temporary Rules\nOther Orders and Notices\nSelf-Regulatory Organizations\nStaff Interpretations\nEducation\nInvestor.gov\nCheck Out a Broker or Adviser\nInvestor Alerts and Bulletins\nFast Answers\nFile a Tip or Complaint\nPublications\nFilings\nEDGAR Search Tools\nCompany Filings Search\nHow to Search EDGAR\nRequesting Public Documents\nDescriptions of Filing Types\nInformation for Filers\nAbout EDGAR\nNews\nPress Releases\nPublic Statements\nSpeeches\nTestimony\nSpotlight Topics\nWhat's New\nNews Digest\nEvents\nWebcasts\nSpecial Studies\nFacility Access Control Systems\nInspector General\nAbout OIG Office of Audits Office of Investigations Semiannual Reports Testimony Other Publications References Links Relevant FOIA Documents Contact Us\nThis document is an HTML formatted version of a printed document.\nThe printed document may contain agency comments, charts, photographs,\nappendices, footnotes and page numbers which may not be reproduced in this\nelectronic version.  If you require a printed version of this document\ncontact the United States Securities and Exchange Commission, Office of\nInspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C.\n20549 or call (202) 942-4460.\nAUDIT MEMORANDUM No. 29\nApril 29, 2003\nTo: James McConnell\nJayne Seidman\nMargaret Carpenter\nKenneth Fogash\nFrom: Walter Stachnik\nRe: Facility Access Control Systems\nBACKGROUND\nWe performed audit work to determine whether the Commission's headquarters, regional, and district office facility access control systems (ACS) were acquired, installed, and operated in accordance with SECR 24-2, Information Technology Security Program.  We determined that headquarters and six of the regional and district offices own a variety of ACSs acquired from a number of vendors.\nThe ACSs are used to control and restrict physical access to Commission facilities and office space.  Individuals are assigned access privileges to physically access controlled and restricted office space based on their job related responsibilities.\nAccess control systems are generally made up of four basic components; cards, readers, controllers and software.  The Commission's ACS hardware and software components include card readers and personal computer (PC) workstations, client-servers, controllers, modems, and operating system software, such as Microsoft Windows 98 and Windows 2000.\nREQUIREMENTS AND RESPONSIBILITIES\nSECR 24-2, Information Technology Security Program and SECR 24-2.4 Version 1, Technical Bulletin Information Technology Certification and Accreditation establish policies, responsibilities, and authorities for establishing adequate and appropriate levels of protection for all information technology (IT) resources owned or leased by the SEC.  The SEC's IT Security Program encompasses information resources and equipment, such as personal computer workstations, network file servers, modems, microcomputer-based hardware and software, telecommunications equipment, and other computer components and electronics.\nSystem owners and sponsors are to identify, establish, and implement adequate and appropriate safeguards for the IT resources under their control.  IT resource owners and sponsors are to perform a security risk assessment to identify, characterize, and document the:\nCriticality and sensitivity of the IT resource;\nMagnitude of security risks the IT resource is exposed to; and\nManagement, operational, and technical controls and safeguards necessary to protect the IT resource's components and data contents from unauthorized use and access.\nIn addition, system owners are to consult with the Commission's IT Security Officer to ensure that appropriate IT security requirements are included in the acquisition and operation of all IT hardware, software, equipment, applications, or related services.  The Office of Administrative and Personnel Management (OAPM) is the system owner for Commission ACSs.\nFINDINGS\nWe determined that OAPM should perform information systems security risk assessments for the facility access control systems owned and acquired by the headquarters, regional, and district offices.\nPerforming the risk assessments would make sure that appropriate managerial, operational, and technical security controls are identified and implemented to mitigate potential vulnerabilities presented by ACS hardware and software components (e.g. personal computer (PC) workstations, client-servers, controllers, modems, application software, and operating system software). The risk assessments would also make sure that headquarters, regional, and district offices establish and implement procedures to back up ACS database files.\nIn addition, we determined that servers, PC workstations, monitors, modems, and software acquired as part of a facility access control system need to be reclassified in the Commission's financial accounting system as Information Systems and Telecommunications Equipment and Information Systems Software.\nWe concluded that by performing the prescribed information systems security risk assessments, OAPM would attain more reasonable assurance that potential ACS computer vulnerabilities are identified and appropriate safeguards are established and implemented to mitigate unacceptable risks.\nRECOMMENDATIONS\nRecommendation A\nOAPM should coordinate with OIT and OFM to obtain the resources (technical assistance and contractor support) necessary to inventory all Commission access control systems, assess security risks, and implement appropriate systems security controls.\nIn implementing Recommendation A, OAPM should establish an action plan with milestones to complete all required facility access control system risk assessments within the next 8 months.  The action plan should make sure that an inventory is performed of all headquarters, regional, and district office facility access control system configurations to identify all information technology components, hardware, software, and operating systems.  Based on the results of the inventory, OAPM should consult with the Office of Information Technology (OIT) Security Officer to determine the scope and extent of the risk assessments that are required for each facility access control system configuration.   The scope and extent of each risk assessment should be based on the size and sophistication of each access control system.  OAPM should then perform risk assessments for each facility access control system, document the risk assessment results, and implement appropriate safeguards based on the results of each risk assessment.\nIn addition, OAPM should establish controls to make sure that future acquisitions of facility access control systems undergo a computer security risk assessment to identify the computer security controls necessary to mitigate vulnerabilities and risks presented by ACS hardware and software components.\nRecommendation B\nOFM should reclassify as Information Systems and Telecommunications Equipment and Information Systems Software the ACSs currently recorded as Office Machines and Equipment in its financial accounting system records.\ncc: Mark Brickman\nBrian Bussey\nJames Clarkson\nKim Davis\nDarrell Dockery\nGeorge Eckard\nHarry Fleming\nStephen Johnston\nDarlene Pryor\nDonald Sherman\nPeggy Stanton\nVictor Tynes\nSite Map\nAccessibility\nContracts\nPrivacy\nInspector General\nAgency Financial Report\nBudget & Performance\nCareers\nContact\nFOIA\nNo FEAR Act & EEO Data\nWhistleblower Protection\nOpen Government\nPlain Writing\nLinks\nInvestor.gov\nUSA.gov\nU.S. Securities and Exchange Commission\nABOUT\nDIVISIONS\nENFORCEMENT\nREGULATION\nEDUCATION\nFILINGS\nNEWSROOM\nInspector General\nAbout OIG\nOffice of Audits\nOffice of Investigations\nSemiannual Reports\nTestimony\nOther Publications\nReferences Links\nRelevant FOIA Documents\nContact Us"